REST Authentication

記錄一些Rest Authentication實作

http://stackoverflow.com/questions/319530/restful-authentication 

Here is a truly and completely RESTful authentication solution:

 1. Create a public/private key pair on the authentication server.
 2. Distribute the public key to all servers.
 3. When a client authenticates:
3.1. issue a token which contains the following:
 * Expiration time
 * users name (optional)
 * users IP (optional)
 * hash of a password (optional)
3.2. Encrypt the token with the private key.
3.3. Send the encrypted token back to the user.
4. When the user accesses any API they must also pass in their auth token.
5. Servers can verify that the token is valid by decrypting it using the auth server's public key.

This is stateless/RESTful authentication. Note, that if a password hash were included the user would also send the unencrypted password along with the authentication token. The server could verify that the password matched the password that was used to create the authentication token by comparing hashes. A secure connection using something like HTTPS would be necessary. Javascript on the client side could handle getting the user's password and storing it client side, either in memory or in a cookie, possibly encrypted with the server's public key.